Manage private connectivity endpoints: AWS¶
This topic provides information on how to manage private connectivity endpoints for use with outbound private connectivity to AWS.
Provision private connectivity endpoints¶
You can use the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT system function to create a private connectivity endpoint by specifying the service or resource, and the hostname. You must use the ACCOUNTADMIN role when using this system function.
Note
If you are using private connectivity for an external stage or external volume, you must use a wildcard character (*) when specifying
the hostname. Using the wildcard does not mean that all S3 buckets are accessed over a private connection. Only buckets referenced by a
Snowflake object that is enabled for private connectivity (that is, the external stage or external volume) can be accessed via the
VPC endpoint.
The SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function accepts a provider service name and host name as its arguments. You can obtain these
values by using the describe-vpc-endpoint-services subcommand from the AWS command line. As described in the
AWS documentation, this AWS
subcommand returns a JSON object with a ServiceName field and a PrivateDnsName field. Use the following table to determine
which values to use for the SYSTEM$PROVISION_PRIVATELINK_ENDPOINT function:
SYSTEM$PROVISION_PRIVATELINK_ENDPOINT argument |
|
|---|---|
|
|
|
If you are using private connectivity for external stages or external volumes, you must use the value with a wildcard. |
For example, to create a PrivateLink with external access to Amazon S3, execute the following SQL statement to configure an endpoint for
us-west-2:
SELECT SYSTEM$PROVISION_PRIVATELINK_ENDPOINT(
'com.amazonaws.us-west-2.s3',
'*.s3.us-west-2.amazonaws.com'
);
After you create an endpoint, there is a delay before you can use the endpoint. For information about checking the status of a created endpoint, see SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO.
Remove a private connectivity endpoint to services¶
You can use the SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT system function to remove a private connectivity endpoint by specifying the service or resource.
After the endpoint is removed, the endpoint is put on a queue to be deleted after 7 days.
You need to use the ACCOUNTADMIN role when using this system function.
For example, to remove a PrivateLink with external access to Amazon S3, execute the following SQL statement:
SELECT SYSTEM$DEPROVISION_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
Restore a private connectivity endpoint to services¶
You can use the SYSTEM$RESTORE_PRIVATELINK_ENDPOINT system function to restore a removed private connectivity endpoint that is still on the deletion queue by specifying the service or resource. If the endpoint is not found on the deletion queue, then you cannot restore the endpoint.
You need to use the ACCOUNTADMIN role when using this system function.
For example, to restore a PrivateLink with external access to Amazon S3, execute the following SQL statement:
SELECT SYSTEM$RESTORE_PRIVATELINK_ENDPOINT('com.amazonaws.us-west-2.s3');
List all private connectivity endpoints to services¶
You can use the SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO system function to list all private connectivity endpoints, and information about the endpoints, in your account.
You need to use the ACCOUNTADMIN role when using this system function.
For example, to list all AWS PrivateLink endpoints with AWS services, execute the following SQL statement:
SELECT SYSTEM$GET_PRIVATELINK_ENDPOINTS_INFO();
[
{
"provider_service_name": "com.amazonaws.us-west-2.s3",
"snowflake_endpoint_name": "vpce-123456789012abcdea",
"endpoint_state": "CREATED",
"host": "*.s3.us-west-2.amazonaws.com",
"status": "Available"
},
...
]
For a description of the fields of the JSON object returned by the function, see Returns.
Note
You can also query the OUTBOUND_PRIVATELINK_ENDPOINTS view in the ACCOUNT_USAGE schema to list the private endpoints in your account.